VOX

A major U.S. gas pipeline operator gets shut down by ransomware. A ransomware attack on a meat supplier forces the shutdown of meat plants. Attacks force schools to close and even disrupt critical healthcare services.

Once only a niche topic of conversation, ransomware has been dominating headlines in the mainstream media, as bad actors are becoming more brazen and making bolder threats.

We are hearing that many companies are feeling a sense of urgency to get their employees more involved in basic measures to protect against ransomware, and employees are speaking up as well, wondering what they can do.

Many of the most devastating ransomware attacks start with a phishing email or corrupt link accessed by an employee. Accidents happen, and we can’t stop all ransomware. But minimizing the simple, common-sense mistakes by employees with more education can go a long way. Everyone has a role to play, and your employees are the most important part of a multi-layered approach to prevention.

“Just like your home, security extends way beyond your front door,” my colleague Sonya Duffin said during our recent Veritas L!VE episode on ransomware. “You’re going to lock your windows, your back door, your garage. You’re going to put a fence up. You’re going to have a neighborhood watch.”

Here are ten common-sense steps employees should take to prevent ransomware attacks:

1. Only open emails and/or click on links from a trusted sender. A common phishing tactic is to send a spoof email with an email header purporting to be from a trusted source (the IRS, PayPal, your company HR department). An easy way to spot these is to check the sender’s address itself. Phishing emails use suspicious domains that don’t match the legit sender’s domain and may include random letters and numbers. A best practice is to always check link addresses prior to clicking by hovering over the link. Always err on the side of caution. It’s always a great practice to go one step further if you receive a phishy link, even from a trusted source, and follow up with the sender using another medium, a method that was not used to send the link.  
2. Be very careful opening email attachments. Employees should be coached and reminded not to open any attachments from a source they don’t know. Basic, common sense, but worth repeating the message.
3. Install operating system updates. IT should frequently educate employees on the importance of allowing updates and patches to be installed. Unpatched systems and servers are behind some of the most notorious ransomware attacks in history. Make sure employees aren’t delaying updates because of the inconvenience.
4. Use strong passwords. This one seems incredibly obvious. But the most frequently used password is “password.” Many people use their name or their children’s name and birthdates, which can be stolen once a hacker gains personal information about them. Make sure employees are educated on setting long and complex passwords, and not to use factory passwords, and ensure multi-factor authentication is enabled.
5. Multi-factor authentication. (Also known as MFA or sometimes called two-factor authentication or 2FA.)  Requires employees to use two pieces of evidence, or credentials when logging in to an account. Credentials could be: something you create (like a password or PIN), something you have (like a smart card), or something you are (like Face ID or your fingerprint).  Most likely employees are already experiencing this logging into their bank, which typically requires an app or will generate a one-time code that they enter to gain access.  Whenever possible, encourage employees to set up multi-factor authentication.
6. Make sure to use a secure VPN when on public Wi-Fi. Many employees working at a coffee shop or airport will simply connect to unsecured Wi-Fi, which makes them an easy mark for hackers, who can gain access to emails or account information sent over the internet. Make sure employees understand the importance of using a company virtual private network, which will encrypt their data.
7. Browse safely. Even during work hours, employees may be visiting any number of personal sites or even downloading unauthorized software, a perfect opportunity for “drive-by downloading”, which involves a malicious payload being installed as part of an attachment or URL. Make sure employees understand the importance of avoiding suspicious sites and reading popups carefully before clicking.
8. Don’t disclose personal information to unknown people. Many ransomware attackers collect personal information from employees via phone calls, text messages, or email. They use that personal information to send phishing emails. Educate employees on the need to refrain from sharing their personal information with anyone they don’t know.
9. Be aware of social engineering tactics. Related to the point above, social engineering involves manipulating people to gain their login credentials, by asking for urgent assistance or for a donation to a seemingly worthy cause. Make sure employees understand how social engineering works and be distrustful by default.
10. Be careful plugging USB sticks into your computer. Yes, even USB sticks are part of the attack surface. TrytoCry and Spora are two examples of ransomware strains that spread by USB sticks. A good company policy is to only allow employees to use company-issued USB sticks, or avoid them completely.

Good cybersecurity hygiene involves many components for both IT departments and employees themselves. Some of the above tips may seem basic, but ransomware attacks have become so disruptive that it’s time for companies to take their cybersecurity training efforts to a more urgent level. Microlearning or even gamification are both good ways to make training sessions more engaging.

Even an incremental increase in employee awareness could go a long way to preventing your company from being the next high-profile ransomware victim.